Two competing release-notes pipelines existed: the release branch's
hardened render/verify/provenance pipeline (a486f3ab08 + dcee1da876,
battle-tested by 2026.7.1) and main's lighter prepare-github-release-notes
size gate (#103222). Repo policy is one canonical path; the release-branch
pipeline wins and main's unique value is grafted in:
- scripts/render-github-release-notes.mjs becomes the canonical release
body renderer (full/compact 125k char+byte modes, tag-pinned record
link, verification tail, canonical shipped-baseline format), now also
preferring a correction tag's dedicated changelog section (from
prepare's heading matrix).
- verify-release-notes.mjs is a three-way merge: release's --shipped-ref
cumulative baselines, provenance checks, highlights gate, and the
excluded-record rewrite fix, plus main's compact contribution rows,
externalReferences threading, and both-heading parser compat.
- release-candidate-checklist.mjs gains validateCandidateCheckout and
changelog-provenance gates that run before any dispatch.
- openclaw-release-publish.yml keeps main's fail-before-mutation early
notes gate (retargeted to the renderer) and adopts release's
render/verify_release_tag_target/canonical_release_body_matches flow.
- scripts/prepare-github-release-notes.mjs and its test are deleted;
release-notes-ledger.test.ts stays and pins the merged verify exports.
- .gitignore tracks every repo skill for Git-aware syncs; SKILL.md
runbooks and RELEASING.md document the converged contract.
Xcode syncs the iOS project supergraph pins (ElevenLabsKit, WebRTC, cmark,
swift-markdown) into the local swabble package's Package.resolved on every
resolve, leaving permanent dirty-worktree noise. Match the existing
OpenClawKit convention: ignore the file. Reproducibility is unaffected -
swabble's only runtime dependency is exact-pinned (Commander 0.2.2) and CI
cache keys hash Package.swift + Sources, not this file.
Split the diffs viewer Shiki language pack into an external publishable plugin.
The diffs plugin keeps the default curated syntax set, while the new @openclaw/diffs-language-pack package carries the extended Shiki languages for npm and ClawHub distribution. The install metadata includes the external ClawHub spec, and the curated C# alias set keeps both c# and cs supported without the language pack.
Co-authored-by: Dallin Romney <dallinromney@gmail.com>
* feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows [AI-assisted]
Stand up an end-to-end pipeline that turns every published openclaw GitHub
Security Advisory into a reusable OpenGrep rule, and wire the compiled rules
into manual-dispatch GitHub Actions workflows that publish SARIF to GitHub
Code Scanning.
The pipeline is harness-agnostic: any coding-agent CLI (Rovo Dev, Claude
Code, Codex, OpenCode, or anything you can shell out to) can drive it via
the runner script's --harness flag. Built-in adapters cover the four common
harnesses; --harness-cmd '<template>' supports anything else with shell-style
{prompt}/{model}/{output_file} substitution.
Pipeline pieces:
- scripts/run-ghsa-detector-review-batch.mjs runs your chosen coding harness
in parallel against every advisory using the agent-agnostic detector-review
spec at security/detector-review/detector-review-spec.md. Each case
produces an opengrep general-rule.yml (precise) and broad-rule.yml
(review-aid), plus a coverage-validated report against the vulnerable
commit's changed files.
- scripts/compile-opengrep-rules.mjs walks a run directory, rewrites each
rule's id to ghsa-detector.<ghsa>.<orig-id>, injects ghsa/advisory-url/
detector-bucket/source-rule-id metadata, and uses opengrep itself to drop
rules with InvalidRuleSchemaError so the published super-configs load
cleanly.
Compiled outputs:
- security/opengrep/precise.yml (336 rules)
- security/opengrep/broad.yml (459 rules)
- security/opengrep/compile-manifest.json (per-rule provenance map)
CI workflows (manual workflow_dispatch only):
- .github/workflows/opengrep-precise.yml
- .github/workflows/opengrep-broad.yml
Both install a pinned opengrep, run opengrep scan against src/, upload SARIF
to Code Scanning under categories opengrep-precise / opengrep-broad, and use
continue-on-error: true so findings never block the workflow.
Detector-review spec and assets:
- security/detector-review/detector-review-spec.md the agent-agnostic spec
the runner injects into each per-case prompt
- security/detector-review/references/{detector-rubric,report-template}.md
- security/detector-review/scripts/init_case.py
- security/prompt-suffix-coverage-first.md mandatory prompt addendum that
enforces coverage-first validation (rule must catch the OG vuln, not just
pass synthetic fixtures)
Docs:
- security/README.md end-to-end flow, supported harnesses, regen recipe
- security/opengrep/README.md compiled-config details + recompile recipe
* security: tighten GHSA OpenGrep detector workflow
* chore: refine precise opengrep workflow
* chore: remove stale opengrep metadata
* fix: harden GHSA OpenGrep workflow
* ci: split OpenGrep diff and full scans
* chore: remove performance-only opengrep rule
* ci: use OpenGrep installer path
* chore: enforce opengrep rule metadata provenance
* chore: generalize opengrep rule compilation
* docs: align opengrep rulepack guidance
* chore: support generic opengrep rule sources
* fix: validate opengrep rulepack-only changes
---------
Co-authored-by: Jesse Merhi <security-engineering@atlassian.com>
* fix(control-ui): rebalance quick settings into stable 3-col bento
Pair Appearance with Automations and let Channels stand alone in the
middle column so all three top-row columns reach similar heights.
Promote Personal to a full-width row with a horizontal body
(identity tiles | emoji + actions) so the avatar block stops fighting
for half-width space. Drops the unused .qs-stack--wide hook.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* refactor(control-ui): rebalance Personal card with symmetric User↔Assistant identity pair
Restructure Personal card layout to present User and Assistant as 2 balanced identity cards instead of separate User tile + form controls. Mirrors the visual hierarchy and UI pattern across both identities.
Changes:
- Move User avatar text input into User identity card's .__repair section (mirroring Assistant's structure)
- Inline "Choose image" and "Clear avatar" buttons as flex-wrapped action group
- Remove .qs-personal-body and .qs-personal-form wrapper divs
- Update Personal card's .qs-identity-grid to 2-column layout with balanced spacing
- Responsive collapse to 1-column at ≤760px
Tests:
- config-quick.test.ts updated to expect 2 stacks (no longer wrapping Personal in form)
- config-quick.test.ts validates identity card layout now has symmetric User↔Assistant structure
- All 10 quick settings view tests passing
- All 20 schema regression tests passing
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
* chore: ignore .vmux worktree paths
* fix(control-ui): persist assistant avatar override locally instead of via gateway config
Mirrors the user-avatar pattern: assistant avatar uploads now go to
localStorage and overlay the gateway-resolved identity at bootstrap and on
agent.identity.get refreshes. Sidesteps the ui.assistant.avatar zod cap
that rejected uploaded data URLs as 'Too big: expected string to have
<=200 characters', removes one config.patch RPC from the avatar path, and
collapses the upload handler from a 44-line async/loadConfig dance into a
plain synchronous setter.
Also lifts the gateway-side ui.assistant.avatar schema cap from 200 to
2,000,000 to match the user-avatar size budget for non-UI clients writing
the field directly, and adds a content-aware text/image normalizer in
ui/src/ui/assistant-identity.ts so short-text avatars stay short while
data URLs survive round-tripping.
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>